Hacker group uses Google Translate to hide phishing sites

New phishing technique looks silly on desktops but may have a fighting chance on mobile devices.
Written by Catalin Cimpanu, Contributor

Cyber-criminal groups are using Google Translate to hide the real domain of their phishing sites, security researchers have discovered. Phishing emails that use this technique have already been spotted in the wild.

Also: Online security 101: Tips for protecting your privacy

The trick isn't complex at all. The idea is that phishing groups send their normal phishing emails, but instead of linking directly to their phishing page's domain, they pass the phishing page URL through Google Translate and use the newly generated Google Translate URL instead.

This Google Translate URL for the phishing page is then used inside the email instead of a direct link to the phishing site.

This means that when users press any buttons or links inside the phishing emails, they're redirected to the Google Translate portal, where the phishing page loads with the regular Google Translate toolbar at the top of the page.

Google Translate phishing
Image: Akamai

This latest trick isn't very effective on desktops, as there are multiple signs that may alert users that something is wrong, such as hovering the mouse over the links inside the emails to see the Google Translate domain or seeing the Google Translate toolbar at the top of the fake login (phishing) page.

However, these phishing emails appear more convincing on mobile devices where the compact layouts of email clients and web browsers makes hovering links impossible and where the Google Translate toolbar looks very much like a browser address bar when accessing the phishing page and scrolling down the page.

One such campaign abusing Google Translate to hide phishing page links was spotted by Akamai security researcher Larry Cashdollar last month.

Must read

This particular campaign wasn't particularly well put together, as it tried to collect the login credentials for both Google and Facebook accounts in one single go, by quickly redirecting victims from the Google login form to the Facebook one, after victims filled in the first, a greedy mistake that would have most likely alerted users that they've just been phished, and pushed them to change passwords right away.

But while this campaign was somewhat unpolished, users should be on the lookout for signs that they might be on the Google Translate website the next time they're trying to log in.

As for this campaign, Google said it already blocked the malicious URLs used for the phishing attacks detected by Akamai.

"We are aware of the phishing attempts and have blocked all sites in question, on multiple levels. If users encounter a phishing site, they can report them at this URL and we will take appropriate action: google.com/safebrowsing/report_phish/," a Google spokesperson told ZDNet.

Google said that after users report these phishing URLs and they're added to the company's global blacklist, Google Translate will block these sites as well.

Article updated with Google comments.

How to avoid being phished during holiday shopping season

More security coverage:

Editorial standards